We're Hiring!

Struggling with Webstart and Java issues.

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.

Struggling with Webstart and Java issues.

Postby ehrenfeu » Wed Feb 05, 2014 10:22 am

Dear all,

recently we get a lot of complaints by our users saying they are not able to run Insight any more on their machines (we are using Webstart to avoid out-of-sync client versions). We didn't do any recent changes to our OMERO server, currently we're one minor version late (making it 4.4.9).

First I thought this was only an issue with MacOS (as documented in [1]) but now also Windows people are unhappy. The error message states (see screenshot below) the application was blocked by security settings, which did not show up until a few days ago. I tried with a Windows machine running Java7, Update 45. Playing with the "Security" settings in Java's control panel, I managed to make it work again. However, that's a per-user setting, and I'd need to tell all my users how to find the Control Panel and what exactly to change there. Am I correct in assuming this is due to the fact that the webstart jars are provided via http instead of https or is this more the code signing stuff as well? I couldn't find where to adjust this, as our webclient is already running on https only and the OMERO config just contains an entry "webstart_host" but nothing about the protocol or port.

omero_ws_error_win.png
(1) Error / Windows
omero_ws_error_win.png (27.17 KiB) Viewed 7824 times


In addition, even when lowering the security level, there is still a Warning presented to the user about the application (attachment 2), but I guess this is about the previously mentioned signin issue?

omero_ws_warn_win.png
(2) Warning / Windows
omero_ws_warn_win.png (50.73 KiB) Viewed 7824 times


On Linux and MacOS, I am able to add an exception for this specific host only, while retaining the general security level on the default. This doesn't seem to be possible with Windows.

omero_jcpl_linux.png
(3) Exception / Linux
omero_jcpl_linux.png (25.5 KiB) Viewed 7824 times


Any help is greatly appreciated!
Thanks
~Niko

[1] http://www.openmicroscopy.org/site/supp ... -os-x-10.8
User avatar
ehrenfeu
 
Posts: 90
Joined: Fri May 11, 2012 8:21 am
Location: Basel, Switzerland

Re: Struggling with Webstart and Java issues.

Postby manics » Wed Feb 05, 2014 11:29 pm

Hi Niko

Recent versions of Java have defaulted to blocking unsigned applications. We're aware of the issue and are currently investigating the best way to fix this, most likely by providing a way for the jars to be code-signed. This should avoid users having to make any changes to their Java security settings. Note 4.4.10 also has this problem.

Sorry for the inconvenience

Simon
User avatar
manics
Team Member
 
Posts: 261
Joined: Mon Oct 08, 2012 11:01 am
Location: Dundee

Re: Struggling with Webstart and Java issues.

Postby ehrenfeu » Thu Feb 06, 2014 8:51 am

Thanks, Simon!

Let me know if there is anything we can do to support you guys, as this is somewhat pressing to us (I get multiple calls per day from confused users about this topic).

Is there anything about changing the jnlp-delivery from http to https?

Cheers
Niko
User avatar
ehrenfeu
 
Posts: 90
Joined: Fri May 11, 2012 8:21 am
Location: Basel, Switzerland

Re: Struggling with Webstart and Java issues.

Postby manics » Thu Feb 06, 2014 11:30 am

Hi Niko

Changing to HTTPS shouldn't make a difference, I think the issue is purely down to the lack of code-signing. We're looking into signing jars as part of the build process, in the meantime there are two workarounds you could try:

  • Download a local client. No installation is necessary, your users can just unzip the archive and run Insight. 4.4.10 clients should be backwards compatible, though if you want you can still access the 4.4.9 clients.
  • Add a security exception. The latest Java (1.7.0_51) should have a place for adding exceptions, as you pointed out earlier versions may not.
User avatar
manics
Team Member
 
Posts: 261
Joined: Mon Oct 08, 2012 11:01 am
Location: Dundee

Re: Struggling with Webstart and Java issues.

Postby ehrenfeu » Thu Feb 20, 2014 1:18 pm

Hi Simon,

just a late follow-up on this:

Downloading a local client is unfortunately not a real option for us as this requires to manually update all client installations after each OMERO upgrade. While this would in theory be possible on the Windows machines using our deployment mechanisms it is still a PITA on all the various MacOS ones floating around in our groups. And that's about 50% of our users, I'd say...

HTTPS would make a difference in adding the security exception as Java complains a lot when adding one for HTTP and asks for explicit confirmation by the user. Which again means it adds to the confusion for an average user who anyway often doesn't know when (and why) to accept security exceptions, broken/old/wrong certificates etc.

Cheers,
~Niko
User avatar
ehrenfeu
 
Posts: 90
Joined: Fri May 11, 2012 8:21 am
Location: Basel, Switzerland

Re: Struggling with Webstart and Java issues.

Postby manics » Thu Feb 20, 2014 5:35 pm

Hi Niko

Unfortunately we're having trouble in obtaining a code-signing certificate, I apologise for the continued delay. I'm not sure about the http/https problem, we'll get back to you later.

Best wishes

Simon
User avatar
manics
Team Member
 
Posts: 261
Joined: Mon Oct 08, 2012 11:01 am
Location: Dundee

Re: Struggling with Webstart and Java issues.

Postby atarkowska » Fri Feb 21, 2014 10:18 am

Hi Niko,

I've just tested how java behave on http vs https host. It seems to be no difference for me.
In both cases in the end user must confirm to run the application, see screenshot.

Ola
Attachments
OMERO.insightScreenSnapz001.jpg
OMERO.insightScreenSnapz001.jpg (66.11 KiB) Viewed 7431 times
atarkowska
 
Posts: 327
Joined: Mon May 18, 2009 12:44 pm

Re: Struggling with Webstart and Java issues.

Postby ehrenfeu » Mon Apr 07, 2014 2:55 pm

Thanks Ola,

as you can see in the screenshot, the webstart binary is still delivered via HTTP and thus the exception in Java's security setting has to be created for HTTP also - and there it complains a lot.

Anyway, am I right in assuming from today's release notification this issue is fixed in 5.0.1? :)

Cheers
Niko
User avatar
ehrenfeu
 
Posts: 90
Joined: Fri May 11, 2012 8:21 am
Location: Basel, Switzerland

Re: Struggling with Webstart and Java issues.

Postby manics » Mon Apr 07, 2014 3:22 pm

Hi Niko

5.0.1 should definitely fix the code-signing issue. Note you'll still get a warning dialog asking "Do you want to run this application". I've tested this locally and I don't receive any warnings using http, could you try this out (after removing your security exceptions) and let me know whether it's working for you?

Thanks

Simon
User avatar
manics
Team Member
 
Posts: 261
Joined: Mon Oct 08, 2012 11:01 am
Location: Dundee

Re: Struggling with Webstart and Java issues.

Postby ehrenfeu » Mon Apr 07, 2014 9:13 pm

Hi Simon,

I'll test it as soon as we're on OMERO 5 (and report).

Thanks
Niko
User avatar
ehrenfeu
 
Posts: 90
Joined: Fri May 11, 2012 8:21 am
Location: Basel, Switzerland

Next

Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest